No, the #1 reason why we don't get computer security right is that we're programming all computers in C or C++. The majority of exploits could be avoided by using safer languages. Also, nobody security audits software and bug-fixing is not the top priority in the development of end-consumer software.
The #2 reason is that operating system makers (except for the *BSD crowd) don't give a shit about making them secure and do not provide the needs for application programmers to make their applications secure. For example, it's very non-trivial on most operating systems to write a program that never swaps any memory out on disk (and you need to use C for it!). To give another example, until not so long ago you could just grep Apple's file vault password out of the swap file. Don't tell me Apple didn't know about it right from the start...
The #3 reason is that people try to use blacklists against malware, which in principle doesn't work. Instead, extensive support for whitelists would have to be built into operating systems, but unfortunately the makers of propretary operating systems only use such features to lock down systems (not for security) because they are greedy bastards.
Are you sure you are not operating on fear of a particular 3 or 4 thousand year old book and rejecting everything in it in an irrational and ignorant way?
It's fairly rational to reject what is written in a 3 or 4 thousand year old book. Look, 3 to 4 thousand years ago people didn't know shit about nothing. And here is an advice for you: If you ever travel back in time and visit the Holy Land, don't eat any of the seafood there. Just..don't!
If we were talking about Hawaiian kapu and its instructions on fishing and such would you be more open minded?
Sorry to reply so often to my own post, but I feel quite a bit misunderstood by some of the replies.
The context of the post was about reasonable ways to protect US and European production, because these other countries have an unfair advantage due to their lax labor laws or the way these laws are sometimes deliberately not enforced.
Of course, alternatively we could also just abolish all labor protection and work safety regulations in the US and Europe and cut down salaries below the existence minimum in order to compete again...
Here is a suggestion you could make to your local politician:
Companies selling products in the US or Europe must be obliged by law to ensure that some minimal labor standards are maintained in the whole production chain, including all subcontractors suppliers. If minimum industrial safety and labor protection requirements are violated the management of the company selling to the end-consumer must be held accountable for it and should definitely face prison terms in serious cases.
Such laws would in the long term help people in countries like India, China, and certain regions of Africa (cocoa plantations, mining,...), where workers are sometimes held and de facto treated like slaves. In case of cocoa plantations, for instance, there is a market of child slaves in certain region in the world. One child costs around $200. That's why chocolate is pretty cheap all around the world. (I am not making this up! This is well-documented.)
Anyway, with such laws in place and being enforced, it would become more viable to produce in the US and Europe again. Of course, some products, especially clothes and chocolate, would also become much more expensive.
Software is another matter. I don't believe Indian programmers are treated significantly worse in terms of working conditions than elsewhere, and salaries are relative, of course.
I don't think he presumed anything, he just stated a fact. Or do you honestly believe the average office suite user is as intelligent as the average LaTeX user? You do know that all mathematicians, all physicists and almost all natural scientists use LaTeX with almost no exception, don't you?
That's the least of the problems with "modern" office suites. Last week I had to convert an article from LaTeX to *shudder* Microsoft Word 2007, because some stupid publisher only accepted Word files. I was astonished to find out that selecting text in Word does not work as you'd expect, it sometimes seems to insist to include the point of the previous sentence. After several unsuccessful attempts I ended up with deleting the point manually. I also made acquaintance for the first time with the amusing "simplified" menu system of Word that made it very hard to find the option to change the paragraph indentation in less then 10 minutes. Not to speak of the "formula editor".... To summarize, it is quite amazing that people use Microsoft Office daily and can apparently still get work some done.
I always inadvertently press Ctrl+S instead, because I'm so used to Emacs. Ctrl+W is worse, of course, and I really wish there was a way to give all applications Emacs shortcuts (apart from using Emacs for everything, of course).
Great, the idea of using social media to identify rioters, dissidents and other criminals has already proved very successful in China, another flourishing democracy. Just don't forgot to sent death threats to the rioters, make sure they loose their jobs, and humiliate them publicly before handing them over to the authorities. In combination with censorship this creates exactly the right amount of fear and respect for authorities that is needed to keep the citizens calm.
Ada: Some complex, few bug opportunities, very verbose, very fast, suitable for system programming Racket: Fairly simple, some bug opportunities, not at all verbose, fast, not suitable for system programming
Let me guess, an outside European perspective gained from reading The Daily Mail?
You've guessed wrong, my sources are mainly the BBC and the New York Times.
The number of cameras in Britain is massively over exaggerated.
Trust me, in comparison to other European countries the number of cameras in the UK is INSANE.
and face-recognition software is used to identify people on it
Not sure why this is a sign of totalitarianism.
And you don't see any irony in this statement?
Is it less totalitarian if you have a human matching the faces to photographs?
No, just more expensive. Or, perhaps, it's a bit more totalitarian because you can face recognition can be applied automatically. It can also be extended to the recognition of gestures and behavioral patterns, which would lead straight down a slippery slope into an Orwellian nightmare state.
and all big parties are decidedly right-wing
Bullshit. One of the two parties in our coalition government is still slightly left of centre, and my MEP is from a decidedly left-wing party.
Well, I acknowledge that they don't appear right-wing to you, but they do appear so to me and others I've talked with.
it is still legal in the UK to beat up your children
any UK news source, then you'd see examples of parents being imprisoned and having their children taken into care for this.
That's not true, as opposed to most other countries in Europe, corporal punishment by parents is not illegal in the UK---as long as it leaves no traces on the body!
Wikipedia: "In the UK, spanking or smacking is legal, but it may not leave a mark on the body and in Scotland since October 2003 it has been illegal to use any implements when disciplining a child."
That in combination with a poor underclass with low job opportunities are basically a warrant for youth violence.
Look, I wasn't intending to say that the UK actually is more totalitarian than other European countries (it could well be, but I don't know), it just looks like that from the outside. Sorry if this displeases some British people, perhaps it's just a PR problem.
Personally, as long as I don't have to move to the UK for some reason I don't give a fuck.
I'm sorry to say that but for an outside European observer the UK is becoming more and more like a totalitarian country. There are cameras everywhere and face-recognition software is used to identify people on it, the law system is "by custom" or how it's called, internet and phone serveillance everywhere, and all big parties are decidedly right-wing. It might not come across like that to UK citizens, but outside the UK people are more and more frightened and alienated. (It didn't help that Tony Blair was George W. Bush's biggest pal for no apparent reason except perhaps that he was being blackmailed.)
In this case, the only response was a hard crackdown on rioters. But fact is that many of these rioters belong to a large group of socially outcast poor people that have been neglected and ignored by politicians for the past few decades and that it is still legal in the UK to beat up your children. It's a miracle that these protests are so limited, and violence will reoccur as long as the only way to deal with it is sending more police (or the military!) into London suburbs.
In the end, we'll all end up with having to make a choice: Either we buy an Apple product or we will have to use an octahedral pocket device/phone and a command line TUI because anything else will violate some of Apple's patents. Oh wait a minute....now that I've mentioned it, some company will probably file a design patent for octahedral electronic devices with command line TUI...
Why is the above poster moded Flamebait? He's completely right. If you take GPL code you have to release your application under the GPL. What's so hard to understand about that? People accept the most ridiculous license terms for proprietary software but once it's about the GPL they start whining when they realize they can't use it for their proprietary shit software. Well, guess what, write your own fucking code!
So let me chime in and say: Hopefully these assholes and all other GPL violators get sued into fucking oblivion!
I guess a lot of Slashdot readers would like nothing better than to see Facebook fade away into history like MySpace, Geocities and whats-its-name.
Wait a minute...Geocities was great! The rest is shit, though, you're right about that.
And to lead this thread entirely off topic, does anyone remember how this BBS style commercial software for the Mac was called that people could use for free to meet in sort of "chat rooms" (on a central server) and trade pirated software? It's height was about the same time as Geocities. I just can't remember the name of it and was wondering what happened to this company. Is it still around?
Encryption and identity have to be tied together. It's a fundamental aspect of the mathematics.
That's an urban myth that has perhaps been popularized by government employees who have an interest in limiting the use of encryption on the Net. In practice, only a limited number of people can successfully launch a man-in-the-middle attack and an SSL encrypted connection without authentication is more secure than a completely unencrypted connection in almost all usage scenarios.
Also, centralized CAs are themselves relatively untrustworthy.
Reading the details I really wonder why this is supposed to be a government-backed up attack. Neither the trojan nor the attack vector described by the guy from Symantec look very sophisticated to me. From a government-sponsored attack I'd at least expect some previously unknown exploits, rootkit, traffic tunneling, anti-virus product circumvention and generally more efforts to hide that there is a trojan or an outgoing connection.
There must be something missing. So, what's so special about this particular persistent attack?
Avoid.com domains, and if you're really successful also avoid doing business with the US altogether because of the patent trolls. Then you should be (mostly) fine for some time. Oh...I forgot...and don't link to anything you haven't written yourself...ever!
Being the most professional system for PDF generation, I went with LaTeX
I have used LaTeX for my thesis and the book resulting of it, as well as for typesetting another book for an international publisher and tons of papers, and I'm afraid I have to disagree with this statement. It's perhaps the most professional free PDF creation tool but nevetheless has countless flaws. Apart from the arcane underlying ad hoc language with global namespace the most severe flaw of LaTeX is the paragraph formatting algorithm, which simply does not work with fixed page height (i.e. \raggedbottom which is required by almost every publisher). Even using all the microkerning options in pdflatex it is a pain in the ass to get the paragraph formatting of LaTeX even halfway right. You have to tweak every second page manually and pray no contribution requires a last minute change.
It would be nice to have a free and more modern alternative. For texts with formulas I'm only aware of one, lout, but it doesn't have enough features.
First of all, I have nothing against the government spending money on computer game graphics engines, in fact I think such money is wisely spent (more wisely than most defense projects, at least). However, out of sheer curiosity I'd like to know how a small software company can get 2 million AUD$ government funding?
What about this: What counts is trust. You need to make a network where everybody connects directly with trustworthy friends ONLY---talking real friends, not "Facebook friends." These are connected with other trustworthy friends, but friendship is not transitive, and so you cannot connect with the friends of your friends unless they are already your friends. On top of this, add an onion-routing based mechanism to request things from friends, and their friends if they don't have it, and so on, until the requested entity is found and onion-routed back.
Assuming it's technically implemented in the right way, a node in such a network can only be compromised when a friend betrays you. As long as you add only real friends, the network is pretty safe and very hard to subvert. I wanted to implement this myself but the NAT traversal without central servers needed for this to work turned out to be a tough nut to crack. Of course, using a broadcast/flooding search the network is also not very efficient. But perhaps someone finds the idea interesting...?
Slashdot Mirror
No, the #1 reason why we don't get computer security right is that we're programming all computers in C or C++. The majority of exploits could be avoided by using safer languages. Also, nobody security audits software and bug-fixing is not the top priority in the development of end-consumer software.
The #2 reason is that operating system makers (except for the *BSD crowd) don't give a shit about making them secure and do not provide the needs for application programmers to make their applications secure. For example, it's very non-trivial on most operating systems to write a program that never swaps any memory out on disk (and you need to use C for it!). To give another example, until not so long ago you could just grep Apple's file vault password out of the swap file. Don't tell me Apple didn't know about it right from the start...
The #3 reason is that people try to use blacklists against malware, which in principle doesn't work. Instead, extensive support for whitelists would have to be built into operating systems, but unfortunately the makers of propretary operating systems only use such features to lock down systems (not for security) because they are greedy bastards.
Are you sure you are not operating on fear of a particular 3 or 4 thousand year old book and rejecting everything in it in an irrational and ignorant way?
It's fairly rational to reject what is written in a 3 or 4 thousand year old book. Look, 3 to 4 thousand years ago people didn't know shit about nothing. And here is an advice for you: If you ever travel back in time and visit the Holy Land, don't eat any of the seafood there. Just..don't!
If we were talking about Hawaiian kapu and its instructions on fishing and such would you be more open minded?
No, I fish with dynamite. :p
Sorry to reply so often to my own post, but I feel quite a bit misunderstood by some of the replies.
The context of the post was about reasonable ways to protect US and European production, because these other countries have an unfair advantage due to their lax labor laws or the way these laws are sometimes deliberately not enforced.
Of course, alternatively we could also just abolish all labor protection and work safety regulations in the US and Europe and cut down salaries below the existence minimum in order to compete again...
replace not with only, please
Eh, why it's always Americans who complain about slavery in China, India but on the other hand happily consume products from them?
I'm not an American, though. Also, good luck with trying to consume only products that have not been made under good working conditions.
Here is a suggestion you could make to your local politician:
Companies selling products in the US or Europe must be obliged by law to ensure that some minimal labor standards are maintained in the whole production chain, including all subcontractors suppliers. If minimum industrial safety and labor protection requirements are violated the management of the company selling to the end-consumer must be held accountable for it and should definitely face prison terms in serious cases.
Such laws would in the long term help people in countries like India, China, and certain regions of Africa (cocoa plantations, mining, ...), where workers are sometimes held and de facto treated like slaves. In case of cocoa plantations, for instance, there is a market of child slaves in certain region in the world. One child costs around $200. That's why chocolate is pretty cheap all around the world. (I am not making this up! This is well-documented.)
Anyway, with such laws in place and being enforced, it would become more viable to produce in the US and Europe again. Of course, some products, especially clothes and chocolate, would also become much more expensive.
Software is another matter. I don't believe Indian programmers are treated significantly worse in terms of working conditions than elsewhere, and salaries are relative, of course.
I don't think he presumed anything, he just stated a fact. Or do you honestly believe the average office suite user is as intelligent as the average LaTeX user? You do know that all mathematicians, all physicists and almost all natural scientists use LaTeX with almost no exception, don't you?
That's the least of the problems with "modern" office suites. Last week I had to convert an article from LaTeX to *shudder* Microsoft Word 2007, because some stupid publisher only accepted Word files. I was astonished to find out that selecting text in Word does not work as you'd expect, it sometimes seems to insist to include the point of the previous sentence. After several unsuccessful attempts I ended up with deleting the point manually. I also made acquaintance for the first time with the amusing "simplified" menu system of Word that made it very hard to find the option to change the paragraph indentation in less then 10 minutes. Not to speak of the "formula editor".... To summarize, it is quite amazing that people use Microsoft Office daily and can apparently still get work some done.
I always inadvertently press Ctrl+S instead, because I'm so used to Emacs. Ctrl+W is worse, of course, and I really wish there was a way to give all applications Emacs shortcuts (apart from using Emacs for everything, of course).
Great, the idea of using social media to identify rioters, dissidents and other criminals has already proved very successful in China, another flourishing democracy. Just don't forgot to sent death threats to the rioters, make sure they loose their jobs, and humiliate them publicly before handing them over to the authorities. In combination with censorship this creates exactly the right amount of fear and respect for authorities that is needed to keep the citizens calm.
Two more you've left out:
Ada: Some complex, few bug opportunities, very verbose, very fast, suitable for system programming
Racket: Fairly simple, some bug opportunities, not at all verbose, fast, not suitable for system programming
Let me guess, an outside European perspective gained from reading The Daily Mail?
You've guessed wrong, my sources are mainly the BBC and the New York Times.
The number of cameras in Britain is massively over exaggerated.
Trust me, in comparison to other European countries the number of cameras in the UK is INSANE.
and face-recognition software is used to identify people on it
Not sure why this is a sign of totalitarianism.
And you don't see any irony in this statement?
Is it less totalitarian if you have a human matching the faces to photographs?
No, just more expensive. Or, perhaps, it's a bit more totalitarian because you can face recognition can be applied automatically. It can also be extended to the recognition of gestures and behavioral patterns, which would lead straight down a slippery slope into an Orwellian nightmare state.
and all big parties are decidedly right-wing
Bullshit. One of the two parties in our coalition government is still slightly left of centre, and my MEP is from a decidedly left-wing party.
Well, I acknowledge that they don't appear right-wing to you, but they do appear so to me and others I've talked with.
it is still legal in the UK to beat up your children
any UK news source, then you'd see examples of parents being imprisoned and having their children taken into care for this.
That's not true, as opposed to most other countries in Europe, corporal punishment by parents is not illegal in the UK---as long as it leaves no traces on the body!
Wikipedia: "In the UK, spanking or smacking is legal, but it may not leave a mark on the body and in Scotland since October 2003 it has been illegal to use any implements when disciplining a child."
That in combination with a poor underclass with low job opportunities are basically a warrant for youth violence.
Look, I wasn't intending to say that the UK actually is more totalitarian than other European countries (it could well be, but I don't know), it just looks like that from the outside. Sorry if this displeases some British people, perhaps it's just a PR problem.
Personally, as long as I don't have to move to the UK for some reason I don't give a fuck.
I'm sorry to say that but for an outside European observer the UK is becoming more and more like a totalitarian country. There are cameras everywhere and face-recognition software is used to identify people on it, the law system is "by custom" or how it's called, internet and phone serveillance everywhere, and all big parties are decidedly right-wing. It might not come across like that to UK citizens, but outside the UK people are more and more frightened and alienated. (It didn't help that Tony Blair was George W. Bush's biggest pal for no apparent reason except perhaps that he was being blackmailed.)
In this case, the only response was a hard crackdown on rioters. But fact is that many of these rioters belong to a large group of socially outcast poor people that have been neglected and ignored by politicians for the past few decades and that it is still legal in the UK to beat up your children. It's a miracle that these protests are so limited, and violence will reoccur as long as the only way to deal with it is sending more police (or the military!) into London suburbs.
One question, since you seem to have used ZeroMQ.
Have you used UDT as well? How does ZeroMQ compare to UDT? Which one is faster/has lower latency as a replacement for TCP over the (non-local) Net?
I'm just wondering, because I'm unsure which of them to choose.
In the end, we'll all end up with having to make a choice: Either we buy an Apple product or we will have to use an octahedral pocket device/phone and a command line TUI because anything else will violate some of Apple's patents. Oh wait a minute....now that I've mentioned it, some company will probably file a design patent for octahedral electronic devices with command line TUI...
Why is the above poster moded Flamebait? He's completely right. If you take GPL code you have to release your application under the GPL. What's so hard to understand about that? People accept the most ridiculous license terms for proprietary software but once it's about the GPL they start whining when they realize they can't use it for their proprietary shit software. Well, guess what, write your own fucking code!
So let me chime in and say: Hopefully these assholes and all other GPL violators get sued into fucking oblivion!
I guess a lot of Slashdot readers would like nothing better than to see Facebook fade away into history like MySpace, Geocities and whats-its-name.
Wait a minute...Geocities was great! The rest is shit, though, you're right about that.
And to lead this thread entirely off topic, does anyone remember how this BBS style commercial software for the Mac was called that people could use for free to meet in sort of "chat rooms" (on a central server) and trade pirated software? It's height was about the same time as Geocities. I just can't remember the name of it and was wondering what happened to this company. Is it still around?
Encryption and identity have to be tied together. It's a fundamental aspect of the mathematics.
That's an urban myth that has perhaps been popularized by government employees who have an interest in limiting the use of encryption on the Net. In practice, only a limited number of people can successfully launch a man-in-the-middle attack and an SSL encrypted connection without authentication is more secure than a completely unencrypted connection in almost all usage scenarios.
Also, centralized CAs are themselves relatively untrustworthy.
Reading the details I really wonder why this is supposed to be a government-backed up attack. Neither the trojan nor the attack vector described by the guy from Symantec look very sophisticated to me. From a government-sponsored attack I'd at least expect some previously unknown exploits, rootkit, traffic tunneling, anti-virus product circumvention and generally more efforts to hide that there is a trojan or an outgoing connection.
There must be something missing. So, what's so special about this particular persistent attack?
Avoid .com domains, and if you're really successful also avoid doing business with the US altogether because of the patent trolls. Then you should be (mostly) fine for some time. Oh...I forgot...and don't link to anything you haven't written yourself...ever!
Being the most professional system for PDF generation, I went with LaTeX
I have used LaTeX for my thesis and the book resulting of it, as well as for typesetting another book for an international publisher and tons of papers, and I'm afraid I have to disagree with this statement. It's perhaps the most professional free PDF creation tool but nevetheless has countless flaws. Apart from the arcane underlying ad hoc language with global namespace the most severe flaw of LaTeX is the paragraph formatting algorithm, which simply does not work with fixed page height (i.e. \raggedbottom which is required by almost every publisher). Even using all the microkerning options in pdflatex it is a pain in the ass to get the paragraph formatting of LaTeX even halfway right. You have to tweak every second page manually and pray no contribution requires a last minute change.
It would be nice to have a free and more modern alternative. For texts with formulas I'm only aware of one, lout, but it doesn't have enough features.
...is just the right combination of bullshit and immorality the world has been waiting for!
First of all, I have nothing against the government spending money on computer game graphics engines, in fact I think such money is wisely spent (more wisely than most defense projects, at least). However, out of sheer curiosity I'd like to know how a small software company can get 2 million AUD$ government funding?
What about this: What counts is trust. You need to make a network where everybody connects directly with trustworthy friends ONLY---talking real friends, not "Facebook friends." These are connected with other trustworthy friends, but friendship is not transitive, and so you cannot connect with the friends of your friends unless they are already your friends. On top of this, add an onion-routing based mechanism to request things from friends, and their friends if they don't have it, and so on, until the requested entity is found and onion-routed back.
Assuming it's technically implemented in the right way, a node in such a network can only be compromised when a friend betrays you. As long as you add only real friends, the network is pretty safe and very hard to subvert. I wanted to implement this myself but the NAT traversal without central servers needed for this to work turned out to be a tough nut to crack. Of course, using a broadcast/flooding search the network is also not very efficient. But perhaps someone finds the idea interesting...?
I did mention it has fake wheels, did I?